Managers do not need to understand all the complexities of cybersecurity, but they do need to understand the business impacts and the level of risks they are willing to accept. And this is where they should direct their research and questions, says Thomas Fikentscher, ANZ regional director, CyberArk.
Fikentscher argues that when boards ask their risk managers questions about the established procedures, policies, training, and capabilities for managing the organization’s cybersecurity, they should also ask them about the implications if and when. the defenses are to fail.
“What is the business impact of a failure? How can it be mitigated? Do we have the resources to address this issue immediately ourselves or would we need outside help? How long would it take and what would it cost? “
Fikentscher’s perspective echoes the directors and advisors we spoke to. They agreed that while there is growing literacy at the cybersecurity advice level, significant gaps remain.
Thomas Fikentscher, Regional Director, ANZ, CyberArk
And the rapid acceleration of the digital transformation driven by the disruption of COVID, which has increased competition for talented and knowledgeable directors, makes it more difficult to incorporate experienced talent into the board.
Those of us who have spoken on this subject say that his colleagues mainly understand now that cybernetics is an absolute imminent first-level risk, with one saying it is “problem awake in bed if it has ever been attacked”.
They recognize that cybersecurity is a highly technical and specialized field, beyond the reach of the experience and expertise of most directors. Still, they say the director’s role is to make sure his company is well-prepared, that it has the right procedures, and a high-quality leadership team that can respond quickly and efficiently, and that it necessarily needs a certain level. of understanding.
We asked several directors with experience in many industries to tell us how they view cybersecurity as a risk and how they focus their questions. We then asked what steps can be taken to better understand the answers given to them, to ensure that those answers are accurate and true.
The immediate advice is to accept that a cyber attack will affect you when you least expect it and that it will likely occur in a way you don’t expect. It is also important to recognize that instigators of cyberattacks are often sophisticated and well-organized criminals who run lucrative businesses.
“We all hold hands trying to understand the nature of the risks and how to respond,” says Roger Sharp, the new president of financial services firm Iress, in addition to his role as president of Webjet.
Sharp is also the first ABN AMRO Bank Global Head of Technology and CEO of ABN AMRO Asia Pacific Securities, providing you with a unique combination of business and technology experience.
“Boards need to make sure there are appropriate risk procedures, with a focus on risk management, prevention and cure,” Sharp says.
When it comes to risk management, he says, “Cyber should be close to or at the top of your risk agenda or audits and risks. Management and advice need to come together to talk about cyber risk on a regular basis.” .
Prevention, on the other hand, requires surveillance and investment, and companies should test both the physical and online environment.
“For example, is physical security consolidated so people can’t come into your office and start using your computers? Are your employees trained not to pick up and use random flash drives? Is there an updated procedure manual? What cybersecurity programs and services do you use? “
Gerd Schenkel, president of Credit Clear, founder of ubank and former digital director of Telstra, warns that it is important to recognize that there can be no 100% protection against cyber risks, no matter how much you invest.
“Long-tail risks are inherently difficult to manage, as are earthquakes, major fires and floods. They are unlikely, but possible, and they have serious consequences. “
Instead, it advises that the way to approach cybersecurity is to focus on the frameworks you can set, the culture you create, and the ongoing conversations about cybersecurity.
“It would have a permanent cyber risk theme for each board meeting, invite technical experts regularly, listen well and not rely solely on suppliers or consultants. There must be some internal experience to provide the board with impartial and long-term advice. ”.
Like Sharp, Schenkel stresses the importance of having solid processes and responsiveness to respond when something happens.
“They need to be tested regularly, for example, business continuity processes.”
According to Schenkel, “it’s impossible to predict everything, but it helps keep it in mind.”
And when it comes to care, Thomas Fikentscher offers key questions that directors should make sure they can answer in the event of a major breach.
- The responsibilities are clear. Is there a definite process that identifies who does what when a raid happens?
- Have you confirmed that the company has established climbing procedures and that they are up to date?
- Do you have external consultants that you can hire immediately when they attack you? Does the company’s business relationship with them guarantee access on time?
- Is your business ready for a war room environment when they attack you? And do you understand what you can and cannot do?
- Who is the public face of the company when you need to report the infringement?
- What is the company’s philosophy on paying a ransom if you are attracted to a ransomware attack. What determines the decision to fight or pay?
- Does the company have cyber insurance? And do you understand the coverage conditions?
Learn more about these issues in the section Translating Cyber Risk into Business Impact for Board Dash Lunch. Sydney readers register here and Melbourne readers register here. Places are limited.
* Lunch is open to senior executives, risk managers, board members. No IT vendors or consultants, thank you